140 likes | 156 Views
This presentation discusses the requirements for supporting Virtual Organizations (VOs) and the challenges that arise, such as managing user affiliations, resource privileges, and attribute expressions. It also explores the need for delegated IAM admin services and the challenge of identity fragmentation at the federation level.
E N D
Emerging from the mists: Requirements for supporting VOs http://arch.doit.wisc.edu/keith/camp/ voReqs-050701-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005
Federated Identity & Access Management(FIAM) • FIAM: Self-predicting term in Latin: “I will be made” • root meaning: to make: • passive voice, • indicative mood, • future tense God bless the VO known as WIKIpedia 2
VO challenges I heard at CAMP • VO support utilities must be as easy to use as • managing a local collaboration team • sharing applications on a single host • …or else? • Or else the latter is exactly how it will be done 3
VO challenges I heard at CAMP • For both ScienceGateway & Vivarium: • IdPs and SPs in a given VO will need mechanisms by which they • come to agreements on • manage • and use information. • What information? 4
VO challenges I heard at CAMP • Well, MINIMALLY, information re: • what user affiliations/groups there are (IdP) • what resource/host-level privileges members of those affiliations should have (SP) • what (SAML) attribute & values will express those affiliations/groups (IdP/SP agreement) 5
Managing Roles & Privileges:The Internet2 way Role-Based Access Control (RBAC) model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet 6
MAXIMAL case:Model from Signet Business View Course Support Add/Drop students Student Admin Which term Schedule Classes Which campus Process Applicants Financial Aid For school… Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Administration $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions 7
VO challenges I heard at CAMP • MAXIMALLY, information re: • what subsystems there are • what functions in what organizing categories there are • what affiliations/groups have those categories/functions on those subsystems • what resource/host-level privileges are required to perform those functions 8
VO challenges I heard at CAMP • And information re: • what attributes will express those groups and privileges • which party will maintain the registries and delivery services for which bits of this information • Signet suggested these categories of information 9
Bold Conclusion (for debate) • IdP site should manage users, groups/affiliations • SP site should manage system-level permissions and what groups/affiliations get which ones • That’s it! (for MINIMAL entry-level case) 10
Bold Conclusion MAXIMAL case (for debate) • IdP site should manage users, groups/affiliations • SP site should manage system-level permissions • Both must agree on subsystems and categories of functions down to syntax and semantics of attributes/expressions • IdP should maintain map from user/group to function • SP should maintain map from function to permissions 11
VO challenges I heard at CAMP • MUST have: Delegable IAM admin services • with absolutely no dependencies on the specific institutional home base of • the users • the administrator(s) • the service(s) 12
VO challenges I heard at CAMP • Users make requests that service providers approve or deny. • The decision will sometimes depend on amalgamated bits of identity info…. • …for which a variety of IdPs are the authoritative source. • Whose job is it to overcome identity fragmentation at the federation level? 13
Q & A 14